Summary of the invention
This application provides the DoS attack method and apparatus prevented in DS-Lite networking, to defend the DoS attack in DS-Lite networking.
The technical scheme that the application provides comprises:
Prevent the Dos attack method in DS-Lite networking, the method is applied to the NAT router AFTR in described DS-Lite networking, comprising:
Receive the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judge the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4,
If so, decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send;
If not, identify whether described IPv6 message carries validation confirmation information, if not, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generates validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR;
If so, described validation confirmation information is verified, when being proved to be successful, determine that described B4 is credible, the source IP address of described IPv6 message is added in described Trusted List.
Prevent the Dos attack method in DS-Lite networking, the method is applied to the basic bridge joint broadband elements B4 in described DS-Lite networking, and the method comprises:
Receive the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Identify whether described IPv6 message carries authorization information;
If so, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR;
If not, then decapsulation is carried out to the IPv6 message received, obtain the IPv4 message of internal layer and send.
Prevent the Dos in DS-Lite networking from attacking a device, the NAT router AFTR of this application of installation in described DS-Lite networking, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judging unit, for judging the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4;
Processing unit, for when the judged result of described judging unit is for being, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends; And, for when the judged result of described judging unit is no, identifies whether described IPv6 message carries validation confirmation information, and recognition result is sent to authentication unit;
Authentication unit, during for being no at described recognition result, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, and, for when described recognition result is for being, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
Prevent the Dos in DS-Lite networking from attacking a device, the basic bridge joint broadband elements B4 of this application of installation in described DS-Lite networking, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Recognition unit, for identifying whether described IPv6 message carries authorization information;
Processing unit, for identify at described recognition unit described IPv6 message carry authorization information time, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR; And,
For identify at described recognition unit described IPv6 message do not carry authorization information time, to receive IPv6 message carry out decapsulation, obtain internal layer IPv4 message and send.
As can be seen from the above technical solutions, in the present invention, when AFTR receives the IPv6 message from B4, not directly this IPv6 message decapsulation is NAT and is forwarded, but by and B4 between the authenticity of message interaction to B4 verify, avoid AFTR to suffer DoS attack.
Embodiment
In order to make the object, technical solutions and advantages of the present invention clearly, describe the present invention below in conjunction with the drawings and specific embodiments.
Method provided by the invention is the process adding a B4 checking on the basis of standard DS-Lite agreement.Pass through the present invention, when AFTR receives the IPv6 message of B4 transmission, not directly this IPv6 message decapsulation is NAT and is forwarded, but first one-time authentication is carried out to the authenticity of this B4 by carrying out message interaction between B4, being only proved to be successful Shi Caihui to this IPv6 message decapsulation is NAT and forwards.
See the method flow diagram that Fig. 4, Fig. 4 provide for the embodiment of the present invention.This flow process is applied to the NAT router AFTR in described DS-Lite networking, and as shown in Figure 4, this flow process can comprise the following steps:
Step 401, receives the IPv6 message that in described DS-Lite networking, B4 sends.
Step 402, judge the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4, if so, performs step 403, if not, performs step 404.
Step 403, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends.
Here, carry out decapsulation to IPv6 message, obtain the IPv4 message of internal layer and carry out decapsulation to IPv6 message after sending the IPv6 message that can receive from B4 according to existing AFTR and the mode sent performs, the present invention repeats no more.
Step 404, identify whether described IPv6 message carries validation confirmation information, if not, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generates validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR; If so, described validation confirmation information being verified, when being proved to be successful, the source IP address of described IPv6 message being added in described Trusted List.
In the present invention, can have multiple way of realization when the IPv6 be associated associates message specific implementation with described IPv6 message, the present invention enumerates following two ways of realization:
Form 1:
This form 1 time, the IPv6 be associated with described IPv6 message associates message, and it is only the message obtained after exchanging mutually in source IP address and object IP address in described IPv6 message, and the internal layer IPv4 message content in the original message content sent by Client1 of carrying in described IPv6 message and described IPv6 message does not all change.
Can find out, adopt this form 1, can ensure that the original message content that Client1 sends and IPv4 message exist all the time between B4_1 and AFTR, therefore, AFTR there is no need this original message content of buffer memory, which save the storage resources of AFTR, make not take on AFTR any resource such as cache resources etc. before B4_1 is by checking.
Form 2:
This form 2 times, the IPv6 be associated with described IPv6 message associates message can not comprise original message content in described IPv6 message, but the new source IP address created be object IP address in described IPv6 message, object IP address is the IPv6 message of source IP address in described IPv6 message.
This form 2 times, in order to ensure follow-uply to send message smoothly after B4_1 is by checking, need the described IPv6 message that AFTR temporary cache receives in step 404.Compared to form 1, this form 2 can take the cache resources of AFTR before B4 is by checking.
For ease of reclaiming the occupied cache resources of AFTR in time, preferably, in the present invention, based on form 2, after B4_1 is by checking, can comprise further: decapsulation is carried out to the IPv6 message of buffer memory, obtain the IPv4 message of internal layer and send, and removing the described IPv6 message of buffer memory.
So far, the flow process shown in Fig. 4 is completed.
Below for above-mentioned form 1, flow process shown in Fig. 4 is described in detail:
Below by Fig. 5, the method that the embodiment of the present invention provides is described:
See the method flow diagram that Fig. 5, Fig. 5 provide for the embodiment of the present invention.The method is still for the DS-Lite networking shown in Fig. 2, and as shown in Figure 5, this flow process can comprise the following steps:
Step 501, when the Client1 that B4_1 connects needs access public network IP v4 main frame, Client1 first sends an IPv4 message to B4_1.
Step 502, when B4_1 receives the IPv4 message from Client1, for namely this IPv4 message encapsulation IPv6 head forms IPv6 message, the source IP address in this IPv6 head is the IP address of the B4_1 sending this IPv6 message.
Step 503, B4_1 sends IPv6 message to AFTR by the IPv4overIPv6 tunnel between AFTR.
Step 504, when AFTR receives the IPv6 message sent from B4, judges the source IP address that whether there is described IPv6 message in the Trusted List set up, if so, performs step 505, if not, perform step 506.
Step 505, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends.
This step 505 judges to perform under the source IP address of IPv6 message is present in the prerequisite of Trusted List in step 504, due to the IP address that this source IP address essence is the B4_1 sending this IPv6 message, therefore, when the source IP address of this IPv6 message is present in Trusted List, then mean that the B4_1 sending this IPv6 message is believable, do not belong to assailant, based on this, directly can carry out decapsulation to this IPv6 message, obtain the IPv4 message of internal layer and send.Here, carry out decapsulation to IPv6 message, obtain the IPv4 message of internal layer and carry out decapsulation to IPv6 message after sending the IPv6 message that can receive from B4 according to existing AFTR and the mode sent performs, the present invention repeats no more.
Further, in the present invention, the IP address in Trusted List dynamically increases according to subsequent step 511, specifically sees step 511.
Step 506, identifies whether described IPv6 message carries validation confirmation information, if not, performs step 507, if so, performs step 511.
In the present invention, validation confirmation information is specifically hereafter being described.
Step 507, intersects source IP address and object IP address in described IPv6 message and gets a new IPv6 message in return, and generate an authorization information, the authorization information of this generation be carried in the IPv6 message newly obtained and return to described B4_1.
In the present invention, authorization information mainly depends on that the IP address of the mark such as B4_1 of B4_1 generates, and therefore, AFTR there is no need to preserve corresponding authorization information for B4_1, saves the storage resources of AFTR.
Preferably, for ensureing the authorization information safety of generation and being not easy to crack, in the present invention, AFTR periodically dynamically can generate random number and generate a random number in such as every 10 seconds, and based on this generating random number authorization information dynamically generated.Particularly, generate authorization information can comprise:
Identify the random number generated in current period;
The IP address of described random number, described B4, the IP address of this AFTR is utilized to carry out computing, using the result that obtains as described authorization information.
Here, utilize the IP address of described random number, described B4, mode the present invention that computing is carried out in the IP address of this AFTR specifically do not limit, such as, utilize MD5 algorithm, SHA-1 algorithm etc.
Step 508, when B4_1 receives the IPv6 message sent from AFTR, identifies whether the IPv6 message of this reception carries authorization information, if so, performs step 509, if not, performs step 510.
Compared to the operation that existing B4 performs, in the present invention, when B41 receives the IPv6 message sent from AFTR, directly this IPv6 message is not carried out decapsulation and forwarded, but first identify whether the IPv6 message of this reception carries authorization information, carry out respective handling according to recognition result, specifically see that step 509 is to step 510.
Step 509, the authorization information that B4_1 carries according to the IPv6 message of this reception generates validation confirmation information, and source IP address and object IP address in the IPv6 message of this reception are intersected get a new IPv6 message in return, the validation confirmation information of generation is carried in this new IPv6 message obtained and sends to AFTR.Return step 504 afterwards.
In this step 509, can comprise when described authorization information of carrying according to the IPv6 message received generates validation confirmation information specific implementation:
The authorization information of directly being carried by the IPv6 message of this reception is as validation confirmation information; Or,
Process according to the authorization information of carrying for the IPv6 message of mode to this reception generating validation confirmation information of consulting with AFTR before, the result obtained is as described validation confirmation information.
Step 510, carries out decapsulation to the IPv6 message received, and obtains the IPv4 message of internal layer and sends.
This step 510 can receive the processing mode after from the IPv6 message of AFTR according to existing B4 and perform, and repeats no more here.
Step 511, verifies, when being proved to be successful described validation confirmation information, the source IP address of described IPv6 message is added in described Trusted List, remove the validation confirmation information that described IPv6 message carries, and decapsulation is carried out to described IPv6 message, obtain the IPv4 message of internal layer and send.
In the present invention, AFTR verifies validation confirmation information and depends on the last authorization information sent to B4_1.Based on this, just need all authorization informations that the forward direction B4_1 of AFTR record sends, like this, under the prerequisite that B4 is many, just need all authorization informations that each B4 of the forward direction of AFTR record sends, the cache resources of AFTR can be taken in a large number.For this situation, based on above to the description how authorization information generates, the authorization information that the present invention no longer makes AFTR buffer memory send to each B4, but the random number directly generated in each cycle of buffer memory, so, carry out checking to validation confirmation information in above-mentioned steps 511 to be specially:
The authorization information of directly being carried by the IPv6 message of this reception at B4_1 is under validation confirmation information, AFTR utilize generate in current period random number, send the IP address of the B4_1 of described validation confirmation information, the IP address of this AFTR and carry out computing, judge that whether the operation result obtained is consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise
Utilize and send the IP address of described validation confirmation information, the IP address of this AFTR, the random number that generates at least one closer with distance current period respectively cycle carry out computing, relatively whether have in each operation result one consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise, illustrate that validation confirmation information does not pass through certification.Wherein, here why utilize the IP address of the B4_1 sending described validation confirmation information, this AFTR IP address, respectively carry out with the random number that generates in distance current period closer at least one cycle computing object be exactly avoid before the authorization information that sends and currently receive validation confirmation information not within the cycle generating same random number, this can improve the accuracy of checking.
Certainly, process according to the authorization information of carrying for the IPv6 message of mode to this reception generating validation confirmation information of consulting with AFTR before at B4_1, the result obtained is as under validation confirmation information, AFTR utilizes the random number generated in current period, send the IP address of the B4_1 of described validation confirmation information, computing is carried out in the IP address of this AFTR, according to processing this operation result for the mode generating validation confirmation information of consulting with AFTR before, whether unanimously with validation confirmation information judge to process the result obtained, if, then illustrate that validation confirmation information passes through certification, otherwise,
The IP address of B4_1, the IP address of this AFTR, the random number that generates at least one closer with distance current period respectively cycle sending described validation confirmation information is utilized to carry out computing, afterwards according to processing each operation result for the mode generating validation confirmation information of consulting with AFTR before, relatively whether have in each result one consistent with validation confirmation information, if, then illustrate that validation confirmation information passes through certification, otherwise, illustrate that validation confirmation information does not pass through certification.Wherein, here why utilize send described validation confirmation information IP address, this AFTR IP address, respectively carry out with the random number that generates in distance current period closer at least one cycle computing object be exactly avoid before the authorization information that sends and currently receive validation confirmation information not within the cycle generating same random number, this can improve the accuracy of checking.
Here, the validation confirmation information in described IPv6 message is proved to be successful, and also just means that the authenticity of the B4_1 sending this IPv6 message is believable.
In addition, in this step 511, carry out decapsulation to described IPv6 message, obtain the IPv4 message of internal layer and send and can receive the execution of the processing mode after from the IPv6 message of B4 according to existing AFTR, the present invention does not repeat.
So far, the flow process shown in Fig. 5 is completed.For the ease of understanding flow process shown in Fig. 5, Fig. 6 shows the message switching between Client1, B4_1, AFTR and public network IP v4 main frame.
Preferably, in the present invention, authorization information and validation confirmation information are all be carried on by DS-Lite verification option in IPv6 object option (the nextheader territory value now, in IPv6 message the is 60) extension header in IPv6 message.According to the regulation of IPv6 agreement, IPv6 object option extension head only just can check when message arrives object, and in the present invention, the object of the IPv6 message that AFTR receives is AFTR itself, and the object of the IPv6 message that B4 receives also is B4 itself, therefore, use this IPv6 object option extension most suitable.Certainly, as embodiments of the invention, DS-Lite verification option also can be carried on other positions of extension header or the IPv6 message created separately, and the present invention does not specifically limit.
Be carried in IPv6 object option extension head for DS-Lite verification option, then, in above-mentioned steps 507, the described authorization information by calculating is carried at the IPv6 be associated with described IPv6 message and associates in message and return to described B4_1 and comprise:
Identify that described IPv6 associates message and whether there is IPv6 object option extension head,
If so, in described IPv6 object option extension head, add DS-Lite verification option, the authorization information of calculating inserted to described DS-Lite verification option, return this IPv6 afterwards and associate message to described B4_1,
If not, create an IPv6 object option extension head, the IPv6 object option extension head of establishment is inserted into described IPv6 and associates message, DS-Lite verification option is added in described IPv6 object option extension head, the authorization information of calculating is inserted to described DS-Lite verification option, returns this IPv6 afterwards and associate message to described B41.Equally, in above-mentioned steps 509, described validation confirmation information is carried in a new IPv6 message and sends to the principle of AFTR similar by B4_1, repeats no more here.
Still be carried in IPv6 object option extension head for DS-Lite verification option, in step 506, identify whether described IPv6 message carries validation confirmation information and comprise:
Identify whether described IPv6 message exists IPv6 object option extension head,
If, identify in described IPv6 object option extension head whether there is the DS-Lite verification option having inserted described validation confirmation information, if so, determine that described IPv6 message carries validation confirmation information, if not, determine that described IPv6 report does not carry validation confirmation information;
If not, determine that described IPv6 report does not carry validation confirmation information.
So far, complete method provided by the invention to describe.
Below device provided by the invention is described:
See the structure drawing of device that Fig. 7, Fig. 7 provide for the embodiment of the present invention.Wherein, the NAT router AFTR of this application of installation in described DS-Lite networking, as shown in Figure 7, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, basic bridge joint broadband elements B4 sends;
Judging unit, for judging the source IP address that whether there is described IPv6 message in the Trusted List set up, the source IP address of described IPv6 message is the IP address of described B4;
Processing unit, for when the judged result of described judging unit is for being, carries out decapsulation to described IPv6 message, obtains the IPv4 message of internal layer and sends; And, for when the judged result of described judging unit is no, identifies whether described IPv6 message carries validation confirmation information, and recognition result is sent to authentication unit;
Authentication unit, during for being no at described recognition result, generate an authorization information, this authorization information is carried at the IPv6 be associated with described IPv6 message to associate in message and return to described B4, generate validation confirmation information to make described B4 according to the authorization information received and be carried to associate with described IPv6 in IPv6 message that message is associated and return to described AFTR, and, for when described recognition result is for being, described validation confirmation information is verified, when being proved to be successful, the source IP address of described IPv6 message is added in described Trusted List.
In the present invention, preferably, the described IPv6 be associated with IPv6 message associates message is the message that in described IPv6 message, source IP address and object IP address obtain after exchanging mutually.
In the present invention, describedly associate the IPv6 message that message is associated with IPv6 and be: described IPv6 associates the message that in message, source IP address and object IP address obtain after exchanging mutually; Based on this, described authentication unit further transmission processing after adding in described Trusted List by the source IP address of IPv6 message informs to described processing unit;
Described processing unit when receiving described process notice, being removed the validation confirmation information that described IPv6 message carries, and being carried out decapsulation to described IPv6 message further, obtains the IPv4 message of internal layer and sends.
In the present invention, described authentication unit periodically generates random number further; Based on the random number that this periodically generates, then the processing procedure that described authentication unit calculates an authorization information can comprise:
Identify the random number generated in current period;
The IP address of described random number, described B4, the IP address of this AFTR is utilized to carry out computing, using the result that obtains as described authorization information.
In the present invention, the authorization information of calculating is carried at the IPv6 be associated with described IPv6 message and associates in message the processing procedure returning to described B4 and can comprise by described authentication unit:
Identify that described IPv6 associates message and whether there is IPv6 object option extension head,
If so, in described IPv6 object option extension head, add DS-Lite verification option, the authorization information of calculating inserted to described DS-Lite verification option, return this IPv6 afterwards and associate message to described B4,
If not, create an IPv6 object option extension head, the IPv6 object option extension head of establishment is inserted into described IPv6 and associates message, DS-Lite verification option is added in described IPv6 object option extension head, the authorization information of calculating is inserted to described DS-Lite verification option, returns this IPv6 afterwards and associate message to described B4.
In the present invention, the processing procedure whether IPv6 message described in described processing unit identification carries validation confirmation information can comprise:
Identify whether described IPv6 message exists IPv6 object option extension head,
If, identify in described IPv6 object option extension head whether there is the DS-Lite verification option having inserted described validation confirmation information, if so, determine that described IPv6 message carries validation confirmation information, if not, determine that described IPv6 report does not carry validation confirmation information;
If not, determine that described IPv6 report does not carry validation confirmation information.
So far, the device shown in Fig. 7 is completed.
Preferably, present invention also offers another apparatus structure.See another structure drawing of device that Fig. 8, Fig. 8 provide for the embodiment of the present invention.Wherein, the B4 of this application of installation in described DS-Lite networking, as shown in Figure 8, this device comprises:
Receiving element, for receiving the IPv6 message that in described DS-Lite networking, NAT router AFTR sends;
Recognition unit, for identifying whether described IPv6 message carries authorization information;
Processing unit, for identify at described recognition unit described IPv6 message carry authorization information time, the authorization information of carrying according to described IPv6 message generates validation confirmation information, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR; And,
For identify at described recognition unit described IPv6 message do not carry authorization information time, to receive IPv6 message carry out decapsulation, obtain internal layer IPv4 message and send.
Preferably, in the present invention, described validation confirmation information is carried in the IPv6 message be associated with described IPv6 message and sends to AFTR to comprise by described processing unit:
Source IP address and object IP address in the IPv6 message of reception are intersected the IPv6 message that the message got in return is defined as being associated with the IPv6 message received;
Described validation confirmation information is carried in the IPv6 message determined and sends to AFTR.
So far, the structure drawing of device shown in Fig. 8 is completed.
As can be seen from the above technical solutions, in the present invention, when AFTR receives the IPv6 message from B4, not directly this IPv6 message decapsulation is NAT and is forwarded, but verified by the authenticity of the message interaction between AFTR and B4 to B4, avoid AFTR to suffer DoS attack;
Further, in the present invention, when verifying B4 authenticity, in the original message content that Client sends, insert authorization information, this can reduce the resource consumption that AFTR verifies B4 authenticity to greatest extent, and performance is high, reliability is strong.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment made, equivalent replacement, improvement etc., all should be included within the scope of protection of the invention.